With a new era of active enforcement of the HIPAA privacy and security laws upon us, companies need to figure out early-on whether they are regulated under HIPAA, either as covered entities or business associates.  However, determining whether a company is subject to the HIPAA privacy and security requirements is not always straightforward, especially for companies in the health technology space.  There are two ways in which a company can become subject to HIPAA: (1) it functions as a health plan, health care provider or health care clearinghouse which could potentially make it a HIPAA “covered entity”, or (2) on behalf of a covered entity it assists in the performance of a function involving the use or disclosure of medical information, which could potentially make it a HIPAA “business associate.  There are circumstances where telemedicine, remote medicine and other provider-driven technology companies could qualify as health care providers and hence “covered entities,” but most health tech companies that become subject to HIPAA’s privacy and security requirements do so because they engage in activities that make them “business associates”. 

 Although “business associate” is broadly defined under HIPAA, not every company that uses or discloses medical information will necessarily fall under the definition; some clearly fall outside the definition whereas others fall into a grey area.  Here are two important factors that may impact whether a tech company is a “business associate”. 

1.      To be a business associate, a company must be acting “on behalf of” a covered entity.

Although the definition of business associate broadly encompasses a wide range of functions (e.g. legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation and financial), these functions can only make a company a business associate if they are provided “on behalf of” a covered entity.   While there is limited guidance on what “on behalf of” means, it can arguably be interpreted as excluding from the “business associate” definition companies that do not sell or provide services specifically intended or designed for use by covered entities.  For example, even though some health care providers use iPhones or Skype to transmit medical information, these services are not activities that would require Apple or the owner of Skype to assume the classification of a HIPAA business associate.  This interpretation appears to be consistent with guidance from the Department of Health and Human Services explaining that companies that act as mere conduits for medical information such as the phone companies and the Postal Service are not business associates.  

Yet while it may seem obvious that the phone companies and the Postal Service are not business associates, these determinations are not as clear cut when you begin to consider the activities of many emerging health technology companies, and in particular companies operating within the mobile health and telemedicine industries. Consider a technology that is intended to facilitate communications among geographically distant physicians.  The technology is designed for use by physicians but not customized or specially designed for use by any particular physician or physician group.  Is the company that operates this technology acting on behalf of a covered entity?   Unfortunately, there is no simple answer to this question.  In this case and others like it determining whether the “on behalf of” element is met will often depend on the specific facts and circumstances (e.g. How is the medical information being used? Where it is stored? What is the nature of the arrangement with the covered entity?). 

 2.      The medical information must have originated from a covered entity. 

Companies that obtain medical information directly from consumers and do not receive or otherwise obtain information from covered entities are not necessarily business associates.  However, companies that not only collect medical information from consumers, but also exchange health related information with covered entities can be considered business associates.  This determination will depend on a variety of factors including the nature of the information exchange that takes place with the covered entity.  (What type of information is being exchanged? Which direction is it going? Was it modified by the covered entity? Etc.)  With tech companies increasingly seeking to occupy the role of intermediary between consumer and covered entity, many are going to find it important to consider whether they are exchanging information in ways that could turn them into business associates.

Because HIPAA business associates now have many of the same legal obligations as HIPAA covered entities, whether a company is deemed a business associate can really matter. While there are many good reasons for companies handling health information to adopt strong privacy and security safeguards (e.g. covered entities often require this as a condition of doing business with them), the HIPAA privacy and security requirements impose significant demands on companies, especially on early stage companies that may lack the resources to develop robust HIPAA compliance programs.  For these reasons and because the federal government has significantly ramped up its enforcement of HIPAA in recent years, it’s important to determine early-on whether your company is regulated under HIPAA, either as a covered entity or business associate.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.